Академический Документы
Профессиональный Документы
Культура Документы
APPLICATION
A PROJECT REPORT
Submitted by
BACHELOR OF TECHNOLOGY
in
INFORMATION TECHNOLOGY
HINDUSTHAN COLLEGE OF ENGINEERING AND TECHNOLOGY
COIMBATORE-641032
ANNA UNIVERSITY: CHENNAI 600 025
APRIL 2019
ANNA UNIVERSITY: CHENNAI 600 025
BONAFIDE CERTIFICATE
SIGNATURE SIGNATURE
M.E.,Ph.D.
NAME SIGNATURE
RAVI KUMAR M ___________
SUGIL M ___________
VIGNESHWARAN R ___________
VIGNESHWARAN R ___________
PROJECT GUIDE
Dr.D.RASI, M.E.,
Place: Coimbatore Assistant Professor,
We express our deep sense of gratitude and sincere thanks to our Head of the
department, Dr.S.Saravanasundaram, Ph.D., who has been a spark for
enlightening my knowledge, for guiding me with constructing criticism and fruitful
suggestion for improvements in our project.
We express our deepest, heartiest and sincere thanks to our Project Guide
We convey our inmost gratitude to our staff members for their competent
support in the execution of work.
We also thank all those who have rendered help directly and indirectly at
various stages of the project work.
TABLE OF CONTENTS
ABSTRACT
Computer security has become one of the most important concerns in theentire discipline of
computing. The recent explosive growth of the Internetand the World Wide Web has brought with it
a need to protect sensitivecommunications over the open networks.In the past, security violations
were generally done by Young adults, just for fun. But as technology and usage of internet
increased, there is always thethreat of planned attack (cyber terrorists), where the loss of money
could belarge in billions.So we have chosen this area of network security, and studied regarding
VPN(Virtual Private Networks) and SSL (Secure Socket Layer) protocol, thecurrent driving topics in the
field of security.In the recent past SSL protocol has revolutionized the area of VPN (VirtualPrivate
Network). SSL based VPN products allow users to establish securecommunication from
virtually any Internet-connected web browser. It issimpler and efficient than its predecessor
(IPSec), in implementing a secureremote access.Security of client – server communication is
achieved by achieving the principles of security, like Authentication and Encryption. These
techniquesare achieved using new packages of J2SDK, v 1.4, like JSSE and Key tool.The rest of
the Application code is developed using JAVA SWINGS.
ABBREVIATIONS
INTRODUCTION
INTRODUCTION
1.1 OBJECTIVE
Communication play a vital role in the modern world and with the invention of internet,
public data telecommunication has become cost effective and efficient. However, it is a
challenge to harness this inexpensive use of this internet’s infrastructure while keeping
security a top priority. The costs to a business and its reputation from stolen, manipulated
or corrupted data can be devastating. Security and privacy are the major requirements for
communications over the internet. The use of VPN enables companies or organizations to
maintain fast, secure and reliable communications wherever their offices are located hence
making VPN’s a necessity for all organizations of the modern global economy.
The advantages associated with VPNs include. Extended geographic connectivity, VPN
connects remote workers to central resources, making it easier to set up global operations.
Improve internet secured connection to internet makes network vulnerable to hacker
attacks. VPNs solutions include firewalls and encryption measures to counteract network
security threats.VPN allows to utilize the remote access infrastructure within IPSs, hence
add unlimited amount of capacity without system. VPN lower costs by eliminating the
need for expensive long distance leased lines. VPN needs only a relatively short
connection to the internet service provider (ISP). The connection could be either a local
leased line.
CHAPTER 2
LITERATURE REVIEW
VPN
Virtual – virtual means not real or in a different state of being. In a VPN, a private
communication between two or more devices is achieved through a public network
(internet). The communication is therefore virtually but not physical.
Network – network consists of two or more devices that can freely communicate with
each other. A VPN can transmit information over long distances effectively and
efficiently.
Virtual Simply put, a VPN, Virtual Private Network, is defined as a network that uses
public network paths but maintains the security and protection of private networks.
Types of VPN
VPNs can be categorized as follows:
Site-to-site VPN
IPsec Remote access VPN
Clientless SSL VPNs
Site-to-site VPN
One of the features of the site-to-site VPN is that hosts do not have VPN client
software. Instead, they just send and receive normal TCP/IP traffic through a VPN
gateway. The VPN gateway is responsible for the encryption and encapsulation of
the outbound traffic. That means that there is a VPN tunnel through which
communication can be established between peers over the Internet.
Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and
relays the packet toward the target host inside its private network.
Basically the site-to-site VPN extends the company's network making
communication easier. A good example here could be a company with branches
in several remote locations.
IPsec Remote Access VPN
For remote access VPN connectivity with full integration into the LAN it is
necessary to employ an IPsec VPN connection between a VPN Gateway and
a remote client. As opposed to SSL, which operates at the application layer
and is typically limited to web applications or a web portal, IPsec is a
connectionless protocol that operates at Layer-3.
With IPsec VPN it is possible to give the remote user full or custom access
to the LAN with a user experience as if the remote user were physically
connected inside the LAN. Also, it would appear to devices inside the LAN
that the remote user was physically present. In other words, full network
extension can be achieved. An IPsec VPN deployment is particularly
necessary when the remote user needs to access applications that cannot be
managed through a web portal such as an ERP or legacy software.
Another challenge with IPsec VPNs can be navigating through firewalls and
NAT devices that are situated between the client and the gateway. (Matei
2012) Thankfully there are tools available that can help resolve these
challenges, such as NAT Traversal. Cisco’s implementation of this option is
called Easy VPN Server and it is the one we chose to implement for this
project.
Clientless Secure Sockets Layer (SSL) VPN
The SSL protocol is implemented at the Transport Layer and upwards in the
seven layer Open Systems Interconnection (OSI) network model. In contrast to
IPsec, the layer 3 (source and destination IP address) information is not
encrypted. The entire secure communications process between client and server
is quite complex but can be broken down into a nine-step process. This
handshake process is quite similar when using TLS.
IBM’s WebSphere online portal, which is the source of the graphic handshake
procedure representation above, also provides a short summary of the SSL
handshake procedure as follows:
1) “The SSL or TLS client sends a "client hello" message that lists
cryptographic information such as the SSL or TLS version and, in the client's
order of preference, the Cipher Suites supported by the client. The message also
contains a random byte string that is used in subsequent computations. The
protocol allows for the "client hello" to include the data compression methods
supported by the client.
2) The SSL or TLS server responds with a "server hello" message that contains
the Cipher Suite chosen by the server from the list provided by the client, the
session ID, and another random byte string. The server also sends its digital
certificate. If the server requires a digital certificate for client authentication,
the server sends a "client certificate request" that includes a list of the types of
certificates supported and the Distinguished Names of acceptable Certification
Authorities (CAs).
4) The SSL or TLS client sends the random byte string that enables both the
client and the server to compute the secret key to be used for encrypting
subsequent message data. The random byte string itself is encrypted with the
server's public key.
5) If the SSL or TLS server sent a "client certificate request", the client sends a
random byte string encrypted with the client's private key, together with the
client's digital certificate, or a "no digital certificate alert". This alert is only a
warning, but with some implementations the handshake fails if client
authentication is mandatory.
8) The SSL or TLS server sends the client a "finished" message, which is
encrypted with the secret key, indicating that the server part of the handshake is
complete.
9) For the duration of the SSL or TLS session, the server and client can now
exchange messages that are symmetrically encrypted with the shared secret
key.”
Unfortunately, even the SSL protocol cannot be considered entirely secure at
this point, as its encryption mechanisms appear to have been cracked by the
National Security Agency (NSA) in the US. According to Mike Janke, the
C.E.O. of the encrypted-communications company Silent Circle, “N.S.A.
developed a massive
push-button scale ability to defeat or circumvent SSL encryption in virtually
real time.”
IKE Phase 1
The first SA is created during IKE Phase 1 and is essentially a control channel.
The purpose of the first phase is to establish a secure and authenticated channel
that will allow secure Phase 2 negotiations to take place. [8] It also
authenticates the peers.
It works at 2 modes:
Main mode (three two-way exchanges)
Aggressive mode
The main difference between these two is that aggressive mode will pass more
information in fewer packets, with the benefit of slightly faster connection
establishment.
During the first step of phase 1 the following parameters are negotiated as
policy sets:
Encryption – (DES, 3DES, AES)
Hash – (MD5, SHA-1)
Authentication – (Pre-shared keys, RSA signatures, RSA encrypted
nonce)
Diffie-Hellman group
Lifetime
Once the policy set is negotiated, the second step of Phase 1 occurs when the
Diffie-Hellman protocol is run in order to establish the shared keys. These
shared keys will be retained and used in subsequent encryption algorithms and
hashes.
IKE Phase 2
The purpose of IKE Phase 2 is to negotiate and establish SAs that will protect
the IP traffic. The negotiation takes place over the control channel that is
created in Phase 1 and the newly established shared keys from Phase 1 may
also be used here. Unlike in Phase 1, the SAs in Phase 2 are unidirectional so
two must be created, one in each direction.The IPsec tunnel terminates when
the IPsec SAs are deleted, or when their lifetime expires.
IKE Versions
IPsec protocols
IPsec is a collection of protocols that provide encryption, authentication
and key management system for ensuring the VPN peers privacy,
authenticity and integrity of data as the information crosses the unsecure
network. IKE and IPsec are the two building blocks for the formation of the
IPsec tunnel. IKE is responsible for determining identities and secrets. The
IPsec tunnel is used to transport data securely via a tunnel. There are two
IPsec framework protocols AH and ESP.
Transport mode
The transport mode gives protection in the OSI layer stack from the transport
layer and above. It performs protection to the data payload but it does not
protect the original IP address. The original IP is used to transport the data
through the Internet. The ESP transport mode is not with the Network Address
Translation (NAT), since communication is end-to-end or between hosts.
Tunnel mode
The tunnel mode gives protection to data and the source IP packet. This
original IP packet is encrypted and it is also encapsulated with a new IP packet.
CHAPTER THREE
METHODOLOGY
The three types of Remote access VPNs that can be implemented for a middle
size office are:
1. IPsec Site-to-site VPN
2. IPsec client VPN
3. Clientless SSL VPN
The three will be analyzed and the most suitable among the three will
be implemented for this case.
The devices which are be needed to implement a remote access IPsec VPN
should include following:
1. A Cisco router
2. A DSL modem
3. A switch
However, at the time of doing this project the above materials could not be
obtained from the department. I could not also manage to purchase them myself
as they are expensive (i.e. a cisco router for example goes for over Ksh. 50,000).
The above network shows a remote company employee connecting to the office
router using a DSL modem.
To enable the secured connection by the remote user, the company edge router
has to be configured to create the IPsec remote access VPN.
Configuration
To implement the IPsec remote access VPN in the cisco packet tracer, the
command line interface (CLI) was used to enter the VPN commands into the
office router.
CLI was also used to configure the other devices in the office, such as the
switches, ISP router, etc.
Bulk of configurations however was on the office router as this is where the
VPN was configured. The basic summary of the commands used in
configuration is provided here with an accompanying short explanation of
what it does.
In the appendix the detailed commands used in configuration are provided.
The AAA authentication and authorization are used with the local database.
This creates a user with username ‘VPN’ and secret password ‘bett8746’
lifetime 21600
exit
Configuration for the IPsec policies and transform sets used during IPsec
negotiation
Sets encryption to aes-advanced encryption standard and a 256-bit key
Sets hashing to hash md5-hmac
reverse-route
Ip dhcp pool
REMOTE_POOL
network 72.44.20.0
255.255.255.240
default-router 72.44.20.14
dns-server 10.10.10.1
Apart from the above benefit, the importance associated with VPNs is also of
so much help to businesses. VPNs have advantages such as cost savings,
extended geographical connectivity and scalability which are all of great
importance efficiency in running businesses.
The objectives and goals of the project were thus achieved. However, the
following recommendations would be of great importance for future purposes.
import android.content.ActivityNotFoundException;
import android.content.Intent;
import android.content.res.Configuration;
import android.graphics.Color;
import android.graphics.drawable.BitmapDrawable;
import android.net.Uri;
import android.os.Build;
import android.os.Bundle;
import android.os.Handler;
import android.support.design.widget.NavigationView;
import android.support.v4.view.GravityCompat;
import android.support.v4.widget.DrawerLayout;
import android.support.v7.app.ActionBarDrawerToggle;
import android.support.v7.widget.CardView;
import android.support.v7.widget.Toolbar;
import android.text.TextUtils;
import android.view.Gravity;
import android.view.LayoutInflater;
import android.view.MenuItem;
import android.view.View;
import android.view.animation.AccelerateInterpolator;
import android.widget.AdapterView;
import android.widget.ArrayAdapter;
import android.widget.Button;
import android.widget.ListView;
import android.widget.PopupWindow;
import android.widget.RelativeLayout;
import android.widget.TextView;
import android.widget.Toast;
import com.it.projectvpn.BuildConfig;
import com.it.projectvpn.R;
import com.it.projectvpn.model.Server;
import com.it.projectvpn.util.PropertiesService;
import com.afollestad.materialdialogs.MaterialDialog;
import com.google.android.gms.ads.MobileAds;
import com.hookedonplay.decoviewlib.DecoView;
import com.hookedonplay.decoviewlib.charts.SeriesItem;
import com.hookedonplay.decoviewlib.events.DecoEvent;
import com.tapadoo.alerter.Alerter;
import java.util.ArrayList;
import java.util.List;
import java.util.Random;
CardView mCardViewShare;
Intent i;
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
// MobileAds.initialize(this, String.valueOf(R.string.admob_app_id));
homeContextRL = (RelativeLayout) findViewById(R.id.homeContextRL);
countryList = dbHelper.getUniqueCountries();
@Override
public void onAdFailedToLoad(int errorCode) {
//AdRequest adRequest = new AdRequest.Builder().build();
//mAdMobAdView.loadAd(adRequest);
}
@Override
public void onAdOpened() {
}
@Override
public void onAdLeftApplication() {
//AdRequest adRequest = new AdRequest.Builder().build();
//mAdMobAdView.loadAd(adRequest);
}
@Override
public void onAdClosed() {
}
});*/
if (BaseActivity.connectedServer == null) {
Button hello = (Button) findViewById(R.id.elapse2);
hello.setText("Not Connected");
hello.setBackgroundResource(R.drawable.button2);
}
else {
Button hello = (Button) findViewById(R.id.elapse2);
hello.setText("Connected");
hello.setBackgroundResource(R.drawable.button3);
}
String totalServers =
String.format(getResources().getString(R.string.total_servers), totalServ);
centree.setText(totalServers);
arcView2.setVisibility(View.VISIBLE);
arcView.setVisibility(View.GONE);
arcView.addSeries(new SeriesItem.Builder(Color.argb(255, 218, 218, 218))
.setRange(0, 100, 0)
.setInterpolator(new AccelerateInterpolator())
.build());
arcView.addEvent(new
DecoEvent.Builder(proc).setIndex(series1Index2).setDelay(2000).setListener(new
DecoEvent.ExecuteEventListener() {
@Override
public void onEventStart(DecoEvent decoEvent) {
@Override
public void onEventEnd(DecoEvent decoEvent) {
String totalServers =
String.format(getResources().getString(R.string.total_servers), totalServ);
centree.setText(totalServers);
}
}).build());
mCardViewShare.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
// TODO Auto-generated method stub
i = new Intent();
i.setAction(Intent.ACTION_SEND);
i.setType("text/plain");
final String text = "Check out "
+ getResources().getString(R.string.app_name)
+ ", the free app for vpn and proxy with " +
getResources().getString(R.string.app_name) + ".
https://play.google.com/store/apps/details?id="
+ getPackageName();
i.putExtra(Intent.EXTRA_TEXT, text);
Intent sender = Intent.createChooser(i, "Share " +
getResources().getString(R.string.app_name));
startActivity(sender);
}
});
sendTouchButton("homeBtnRandomConnection");
Server randomServer = getRandomServer();
if (randomServer != null) {
newConnecting(randomServer, true, true);
} else {
String randomError =
String.format(getResources().getString(R.string.error_random_country),
PropertiesService.getSelectedCountry());
Toast.makeText(MainActivity.this, randomError,
Toast.LENGTH_LONG).show();
}
}
});
}
});
}
});
}
@Override
protected void onResume() {
super.onResume();
if (BaseActivity.connectedServer == null) {
Button hello = (Button) findViewById(R.id.elapse2);
hello.setText("Not Connected");
}
else {
Button hello = (Button) findViewById(R.id.elapse2);
hello.setText("Connected");
hello.setBackgroundResource(R.drawable.button3);
}
invalidateOptionsMenu();
@Override
protected void onDestroy() {
super.onDestroy();
}
@Override
protected boolean useHomeButton() {
return true;
}
lvCountry.setAdapter(adapter);
lvCountry.setOnItemClickListener(new AdapterView.OnItemClickListener() {
@Override
public void onItemClick(AdapterView<?> parent, View view, int position,
long id) {
popupWindow.dismiss();
onSelectCountry(countryList.get(position));
}
});
if (getResources().getConfiguration().orientation ==
Configuration.ORIENTATION_LANDSCAPE) {
popupWindow = new PopupWindow(
view,
(int)(widthWindow * landPercentW),
(int)(heightWindow * landPercentH)
);
} else {
popupWindow = new PopupWindow(
view,
(int)(widthWindow * portraitPercentW),
(int)(heightWindow * portraitPercentH)
);
}
popupWindow.setOutsideTouchable(false);
popupWindow.setFocusable(true);
popupWindow.setBackgroundDrawable(new BitmapDrawable());
return view;
}
int id = item.getItemId();
if (id == R.id.nav_speedtest) {
startActivity(new Intent(this, SpeedTestActivity.class));
materialDialog.show();
}
@Override
public void onDrawerOpened(View drawerView) {
}
});
toggle.syncState();
}
}
Screenshots
Welcome page
Fig Country servers list
Fig Speedometer
Country Name
Reference
[1] Martin Murhammer (1999) A comprehensive guide to Virtual Private Networks.
Volume 3. IBM corp, U.S.A.
[3] Mike Fratto (2005) IPsec Vs. SSL: Picking The Right VPN
[4] A primer for Implementing a Cisco Virtual Private Network. (1999). Cisco
Systems.
[5] Keith Barker et al (2012). CCNA Security 640-554 Official Cert Guide. Cisco
Press.
[7] Cristian Matei (2012) CCNP Security VPN 642-648 Quick Reference. 2012.
[8] Catherine Paquet (2013) Implementing Cisco IOS Network Security (IINS)
Foundation Learning Guide. Cisco Press.
[9] Andrew Mason (2002) IPsec Overview Part Four: Internet Key Exchange (IKE).